10-13-2009 12:27 AM
One of the SP customer wants to lauch SSL service for it's customers, and wnats to have feature by which his customer would be able to bind their remote user's device ( e.g. laptop , desktop, PDA etc.) , preferably on it's MAC address, so that they are sure that user is accessing sensitive information through authorized device only.
Can you provide a brief description as to how this binding can be achieved in SSL solution? Is this also possible in our IPSec solution?
Solved! Go to Solution.
10-13-2009 07:22 AM
On SSL VPN, you have two choices to do what you wish. You should look at Authentication Policy in the Realm definition to see if any of the controls in there are acceptable - it might be that user certificates might do what you wish.
Host Checker can analyze almost anything on the client PC and you can then use this information to allow or disallow mapping to a role. We base a lot of decisions on obscure registry items. If there is a registry item which has the MAC address in it, you could use this for the type of check you want to do - at least on a PC. The PDA will be tougher - the Host Checker functionality for Windows Mobile devices is less evolved than for PCs.
10-13-2009 10:54 AM
10-14-2009 09:36 AM
MAC addresses can be spoofed (google search 'spoof mac address') so from a security standpoint it is not really the best option.
You can either go the client certificate route (but in this case you are authenticating the user, not the device) or the machine certificate route.
The Machine Certificate check is available underHost checker > New Policy > Windows: Custom: Machine Certificate.
You can restrict access to a subset Machine Certificate issued by a particular CA only (by installing the cert in Trusted client CA) or specific CA DN.
Of course you need to issue and manage these certificates on the endpoints (wether they are user certificates or machine certificates).
Other options are available too (e.g "hidden" registry check) but they are less secure as registry can be edited, if you know what you need in order to pass the host check.